The firm hand of the law: ensuring compliance with the General Data Protection Regulation

The data that clinics hold on employees, suppliers and clients, are very important and need protecting. This is supported by the very fact that Europe brought in a new data protection regime last year, the General Data Protection Regulation (GDPR), which the UK put into effect with the Data Protection Act 2018.

Sadly, it is not difficult to find examples of firms that have been caught out by the actions of wayward (ex) employees abusing systems they have been allowed access to by trusting employers.

In late 2018 (albeit, this is an example from the motor industry), an individual was given a 6-month prison sentence for accessing thousands of customer records containing personal data without permission (Information Commissioner's Office, 2018). He used his colleagues' log-in details to access a software system that estimates the cost of vehicle repairs.

Carl Johnson, a partner and the head of the regulatory department at Stephensons Solicitors, says that the UK's data protection regulator, the Information Commissioner's Office (ICO), brought the prosecution under the Computer Misuse Act 1990. ‘Most cases,’ says Johnson, ‘are usually prosecuted by the ICO under the Data Protection Act. However, in some cases, it can prosecute under other legislation—in this case, section 1 of the Computer Misuse Act—to reflect the nature and extent of the offence and for the sentencing court to have a wider range of penalties available.’ As Johnson tells, ‘in this instance, it appears that the individual, Mustafa Kasim, had accessed the records while employed at Nationwide Accident Repair Services and continued to do so after starting a new job at a different car repair organisation which used the same software system.’ Kasim pleaded guilty to a charge of securing unauthorised access to personal data between 13 January 2016 and 19 October 2016 at a hearing in September 2018 and was sentenced at Wood Green Crown Court.

When the GDPR came into force in May 2018, it changed how businesses (known as data controllers) should handle the personal information of their customers and employees. From Johnson's perspective, ‘it significantly strengthens the regulation of data controllers—providing the ICO with powers to impose substantial fines for non-compliance. It also provides individuals with an array of rights that consumers and employees can look to enforce via the courts.

He adds that the new law is, in part, ‘intended to force a cultural change in how we think about and protect peoples' personal information’. It is also intended to bring the law up to date with advances in technology as well as the widespread use of internet-based applications and social media.

A quick search of the ICO's website shows that there are huge financial penalties available to the regulator for cases of non-compliance—with fines of up to 4% of a company's annual global turnover for the preceding financial year or the equivalent of €20 million (whichever is greater). To illustrate the risk, at the start of July 2019, it was announced that British Airways was to be handed a fine of £183 million (1.5% of their turnover) for a breach that occurred in 2018 (Information Commissioner's Office, 2019). Clearly, the new law has teeth.

Most businesses have already adapted their systems and processes for the new law; however, many others will either still be in the process of making the required changes or will not have begun yet. Remembering that the law applies equally to a small independent clinic as much as it does to a national chain, some still seem unaware that the law has changed.

As Johnson explains, ‘it is crucial to ensure that an organisation is compliant with the new law—particularly so that customer and employee data are handled safely and securely—reducing the risk of information being misused and the company's reputation suffering as a result.’ Furthermore, compliance lowers the risk of being hit with a substantial fine from the ICO and controls the likelihood of the company being sued by those who may have been adversely affected by a data breach.

The next case we will discuss is an extreme case, but one that is worth noting. Recently, the BBC reported that the supermarket Morrisons had been found vicariously liable for a data breach that saw the details of thousands of its employees posted online (BBC, 2018). As the story outlined, workers brought a claim against the company after an employee stole data, including salary and bank details, of nearly 100 000 members of staff. While he was jailed for 8 years in 2015 after being found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data, the ICO found that Morrisons had not breached data protection law. Even so, Morrisons was left to pick up the bill for the disclosed employees' claims for damages.

So, practically speaking, how can a clinic ensure full compliance with the law? Johnson offers a nine-step guide.

Audit data processing activities

Firstly, he says, firms should consider where, when and how they process personal data and ‘should map their processing activities so they can identify all types of data processing that the company carries out. They should then seek to ensure that they have a lawful basis for each type of processing that they are conducting.’ Lawful reasons for processing are: ‘consent’, ‘performance of a contract’, ‘legal obligation’, ‘vital interests’, ‘public interest/exercise of official authority’ and ‘legitimate interests’. He adds that additional conditions also apply to any processing of ‘special categories’ of data—such as information about a person's health—which is prohibited unless further conditions are met.

Review contracts/service agreements with ‘data processors’

Data processors are those who process personal data on someone else's behalf. A good example of this is where a company outsources its payroll to an external company. In that instance, the external company is a data processor. On this, Johnson says that, ‘data controllers must ensure that they only appoint data processors who have provided sufficient guarantees regarding their GDPR compliance.’ The law requires that this relationship be governed by a contract that details the parties' data protection obligations.

Review direct marketing activities

Clinics will market their brand. It is a given. But if they market directly to individuals, they must ensure that they have a lawful basis in order to use personal data for marketing purposes. An example of this is where firms send marketing emails to a person with their consent. Interestingly, Johnson says ‘it is not always necessary to have consent before marketing directly to people; however, this will depend upon the specific circumstances.’

Make sure that ‘fair processing information’ is provided

Businesses should ensure that they provide a privacy notice to individuals when they first collect their data. On this, Johnson says the privacy notice ‘should explain who the business is, provide its contact details, state the purposes for processing people's personal data and provide details of the legal basis upon which the business relies upon for processing the data.’ He explains that the details of any ‘legitimate interest’ relied upon for processing data, and the details of any third parties that the data may be sent to, should be outlined, ‘as well as details of any transfer of personal data that might occur to other countries and the rights individuals have under the GDPR.’

Register the business as a data controller with the Information Commissioner

If the business processes personal data, then it should register with the Information Commissioner. At the same time, Johnson says firms—unless micro-sized—should consider whether it is necessary to appoint a Data Protection Officer (DPO). He says, ‘even if it is not mandatory, a business may still wish to appoint a DPO in order to ensure that a single person takes responsibility for ensuring compliance.’

Implement policies and procedures to meet GDPR rights

Individuals have numerous rights under the GDPR, such as the right of access, the right to rectification and the right to erasure. If a firm receives such a request from an individual, it will be important to ensure that it responds to the request appropriately and within the month time limit. As Johnson sees it, ‘ensuring that a firm has policies and procedures in place to facilitate the handling of a request is important to ensure that the request is handled correctly and to demonstrate compliance with the law should an issue or complaint arise.’

Implementing appropriate security measures

Businesses should ensure that their systems for processing personal data—both off- and online—are physically secure and use appropriate technical and organisational measures. This is critical for Johnson who notes that ‘systems should be tested regularly, possibly via a reputable IT company to test the security and integrity of the firm's IT systems.’ It's fundamental that data should be password protected with a secure, hard-to-crack, key.

Conduct staff training

The vast majority of data breaches are the result of human error. This is why Johnson advises that staff are trained in relation to data protection issues—‘the business must be able to demonstrate this in the event of a data breach … it is a critical step towards preventing a breach from occurring in the first place and may help in avoiding a financial penalty from the ICO in the event of a breach.’

Conduct a Data Protection Impact Assessment when necessary

Lastly, Johnson advises that if data processing is likely to result in a high risk to the rights and freedoms of individuals, ‘the business must conduct a Data Protection Impact Assessment (DPIA) before it begins that processing.’ In essence, a DPIA is a risk assessment aimed at identifying potential risks in the proposed processing of personal data in order to enable a data controller to address and minimise those risks if it is appropriate to conduct the proposed processing. A DPIA must be documented.